AuthManager should not mutate configured default guard, instead introduce and mutate an active guard

[tpraxl]

Laravel Version

12.x

PHP Version

8.4

Database Driver & Version

No response

Description

This is neither a bug report nor a feature request.

Description

In config/auth.php, Laravel allows users to configure their authentication guards. There's also an option to set a default guard, which is intended to be used when the Auth::* facade is called without explicitly specifying a guard—for example, Auth::user() instead of Auth::guard('my-guard')->user().

However, I noticed that the Authenticate middleware modifies this default guard by calling shouldUse while iterating through candidate guards for the current route:

https://github.com/laravel/framework/blob/767f9b71918c2b33c64fcb507e7947b76be53165/src/Illuminate/Auth/Middleware/Authenticate.php#L75C5-L88C6

protected function authenticate($request, array $guards)
{
    if (empty($guards)) {
        $guards = [null];
    }

    foreach ($guards as $guard) {
        if ($this->auth->guard($guard)->check()) {
            return $this->auth->shouldUse($guard);
        }
    }

    $this->unauthenticated($request, $guards);
}

The config.auth.defaults.guard value is meant to be a user-defined setting (configured in config/auth.php).

Background

I ran into this behavior while troubleshooting an issue where middleware was unable to access the authenticated user for a custom guard defined on a specific route.

It was quite confusing to discover that the default guard is being mutated at runtime, as I had assumed it remained static throughout the request lifecycle. This misled my debugging process and made the root cause harder to identify.

This would have been less confusing if the middleware had instead set an internal or runtime-specific guard value—something like an active, current, or actual guard—rather than mutating what is configured as a constant default.

Proposal

• Keep the default guard immutable; it should reflect only the user-configured value.
• Introduce a new concept of an active guard (or current, runtime, actual, etc.) that can be safely mutated during request handling.
• Provide Auth::getDefaultDriver() to access the configured default driver.
• Introduce something like Auth::getActiveDriver() (or getCurrentDriver(), getRuntimeDriver(), etc.) to retrieve the active driver during a request.
• Use Auth::setActiveDriver() (or the name variants) in shouldUse and whenever we formerly changed the default value.

I will gladly contribute the proposed change after having discussed it here, and if you agree.

Thank you for your consideration. I believe this change would clarify guard behavior and help avoid confusion during development.

Steps To Reproduce

This is not a bug report, but I did not find a proper board for issuing an enhancement.